diff options
| author | Hugh Dickins <hughd@google.com> | 2011-12-31 14:44:01 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-12-31 14:48:28 -0500 |
| commit | e6780f7243eddb133cc20ec37fa69317c218b709 (patch) | |
| tree | 81e427161f0604a8935180f8c454593142c0f272 | |
| parent | 06867fbb8abc936192195e5dcc4b63e12cc78f72 (diff) | |
futex: Fix uninterruptible loop due to gate_area
It was found (by Sasha) that if you use a futex located in the gate
area we get stuck in an uninterruptible infinite loop, much like the
ZERO_PAGE issue.
While looking at this problem, PeterZ realized you'll get into similar
trouble when hitting any install_special_pages() mapping. And are there
still drivers setting up their own special mmaps without page->mapping,
and without special VM or pte flags to make get_user_pages fail?
In most cases, if page->mapping is NULL, we do not need to retry at all:
Linus points out that even /proc/sys/vm/drop_caches poses no problem,
because it ends up using remove_mapping(), which takes care not to
interfere when the page reference count is raised.
But there is still one case which does need a retry: if memory pressure
called shmem_writepage in between get_user_pages_fast dropping page
table lock and our acquiring page lock, then the page gets switched from
filecache to swapcache (and ->mapping set to NULL) whatever the refcount.
Fault it back in to get the page->mapping needed for key->shared.inode.
Reported-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| -rw-r--r-- | kernel/futex.c | 28 |
1 files changed, 20 insertions, 8 deletions
diff --git a/kernel/futex.c b/kernel/futex.c index ea87f4d2f455..1614be20173d 100644 --- a/kernel/futex.c +++ b/kernel/futex.c | |||
| @@ -314,17 +314,29 @@ again: | |||
| 314 | #endif | 314 | #endif |
| 315 | 315 | ||
| 316 | lock_page(page_head); | 316 | lock_page(page_head); |
| 317 | |||
| 318 | /* | ||
| 319 | * If page_head->mapping is NULL, then it cannot be a PageAnon | ||
| 320 | * page; but it might be the ZERO_PAGE or in the gate area or | ||
| 321 | * in a special mapping (all cases which we are happy to fail); | ||
| 322 | * or it may have been a good file page when get_user_pages_fast | ||
| 323 | * found it, but truncated or holepunched or subjected to | ||
| 324 | * invalidate_complete_page2 before we got the page lock (also | ||
| 325 | * cases which we are happy to fail). And we hold a reference, | ||
| 326 | * so refcount care in invalidate_complete_page's remove_mapping | ||
| 327 | * prevents drop_caches from setting mapping to NULL beneath us. | ||
| 328 | * | ||
| 329 | * The case we do have to guard against is when memory pressure made | ||
| 330 | * shmem_writepage move it from filecache to swapcache beneath us: | ||
| 331 | * an unlikely race, but we do need to retry for page_head->mapping. | ||
| 332 | */ | ||
| 317 | if (!page_head->mapping) { | 333 | if (!page_head->mapping) { |
| 334 | int shmem_swizzled = PageSwapCache(page_head); | ||
| 318 | unlock_page(page_head); | 335 | unlock_page(page_head); |
| 319 | put_page(page_head); | 336 | put_page(page_head); |
| 320 | /* | 337 | if (shmem_swizzled) |
| 321 | * ZERO_PAGE pages don't have a mapping. Avoid a busy loop | 338 | goto again; |
| 322 | * trying to find one. RW mapping would have COW'd (and thus | 339 | return -EFAULT; |
| 323 | * have a mapping) so this page is RO and won't ever change. | ||
| 324 | */ | ||
| 325 | if ((page_head == ZERO_PAGE(address))) | ||
| 326 | return -EFAULT; | ||
| 327 | goto again; | ||
| 328 | } | 340 | } |
| 329 | 341 | ||
| 330 | /* | 342 | /* |